Fast-casual chain reveals culprit of recent data breach

Press enter to search
Close search
Open Menu

Fast-casual chain reveals culprit of recent data breach

By Deena M. Amato-McCoy - 05/26/2017

Chipotle Mexican Grill is coming clean about a cyber-attack that targeted the chain last month.

An extensive investigation lead by leading cyber security firms, law enforcement and the payment card networks revealed that malware accessed payment card data used at point-of-sale (POS) devices at certain Chipotle and Pizzeria Locale restaurants between March 24 and April 18. Not all locations were involved, and the specific timeframes vary by location, according to the chain.

This is a more extensive description than the company’s initial report. Last month, Chipotle revealed that it detected “unauthorized activity” on its payment processing network, according to CNBC.

Specifically, the software searched for track data —which can include cardholder names, card numbers, expiration dates, and internal verification code — which is embedded in a payment card’s magnetic stripe. Hackers poached the information as it was routed through POS devices.

According to Chipotle, there is no indication that other customer information was affected. The chain declined to comment on how many payment cards have been affected.

During the investigation, Chipotle removed the malware and continues to work with cyber security firms to further improve its security measures. Besides continuing to support law enforcement’s investigation, the chain is also working with the payment card networks, a move that enables the banks that issue payment cards to heighten monitoring efforts.

Lists of affected Chipotle and Pizzeria Locale restaurant locations and specific timeframes are available at each brand’s website. In the mean-time, the company is urging “customers that used a payment card at an af-fected location to review their payment card statements for any unauthor-ized activity. All affected customers are urged to immediately report any unauthorized charges to their card issuer,” Chipotle said.

This is not the first public relations blow the Denver-based chain has faced. Chipotle, which operates more than 2,300 restaurants, continues to rebuild its reputation after a wave of food safety incidents in 2015 scared away customers, negatively impacting sales.